News

How the Attack on NY Times and Twitter Domains Could Have Been Worse

Published on August 28, 2013by Arik Hesseldahl

Fair warning: The domain-hijacking attacks carried out by the Syrian Electronic Army against the New York Times and Twitter yesterday could have been worse, according to a security expert who has studied the method of the attack.

The attackers basically changed the domain settings for NYTimes.com, Twitter.com and twimg.com, another Twitter-controlled domain, and sought to use the root domain name system that directs the traffic of the Internet. As they explained in a series of messages on Twitter this morning, the attackers essentially tried to send Web users who were attempting to get to the Times and to Twitter to the wrong place.

What they did was break into the systems of the company that had registered the domain names. That company is Australia-based Melbourne IT, and it turns out that it’s a pretty popular domain host.

Moore said that several well-known companies who have also registered their domain names via Melbourne IT had, at the time the attack was carried out, left their domains “unlocked” by not taking advantage of an account feature that prevents the domain settings from being easily changed.

“Although Twitter did have a lock in place, at the time of the attack, many large-brand domains were hosted with Melbourne IT and were not locked,” Moore said in an email to AllThingsD. “There is no evidence that the attackers made changes to these domains, but these were potentially vulnerable at the time the attack took place. In other words, things could have been much worse.”

Among the domains hosted by Melbourne IT that were unlocked, and thus exposed to the same kind of attack, were those of a few household corporate names: Software company Adobe, networking giant Cisco Systems, Web company AOL and book retailer Barnes & Noble, as well as popular sites like Engadget, the Huffington Post and coffee concern Starbucks.